Created
July 30, 2017 23:35
-
-
Save mctaylorpants/4973f06e4724bd71ac794b4bfada01b9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
| # Sets the token value for the current session. | |
| def form_authenticity_token(form_options: {}) | |
| masked_authenticity_token(session, form_options: form_options) | |
| end | |
| # Creates a masked version of the authenticity token that varies | |
| # on each request. The masking is used to mitigate SSL attacks | |
| # like BREACH. | |
| def masked_authenticity_token(session, form_options: {}) # :doc: | |
| # ... | |
| raw_token = if per_form_csrf_tokens && action && method | |
| # ... | |
| else | |
| real_csrf_token(session) | |
| end | |
| one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH) | |
| encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token) | |
| masked_token = one_time_pad + encrypted_csrf_token | |
| Base64.strict_encode64(masked_token) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment